Checkpoint R80+ VPN client chroot wrapper

VPN client chroot'ed Debian setup/wrapper

for Debian/Ubuntu/RedHat/CentOS/Fedora/Arch/SUSE/Gentoo/Slackware/Void/Deepin/KaOS/Pisi/Kwort/Clear/NuTyx/Mariner Linux based hosts

Checkpoint R80.10 and up

https://github.com/ruyrybeyro/chrootvpn

Rui Ribeiro 2022-2024

Tiago Teles @ttmx - Contributions for Arch Linux

Robson Rodrigues @robsonrod - Contribution for NixOS

The official Mobile Access Portal Agent (CShell) and the SSL Network Extender (SNX) CheckPoint scripts are severely outdated, not working with recent Linux distributions. This script downloads them from the firewall/VPN we intend to connect to, and installs them in a chrooted environment. (*)

Being SNX still a 32-bits binary together with the multiples issues of satisfying cshell_install.sh requirements, a chroot is used in order to not to corrupt (so much) the Linux user desktop, and yet still tricking snx / cshell_install.sh into "believing" all the requirements are satisfied; e.g. both SNX and CShell behave on odd ways ; furthermore, Fedora and others already deprecated 32-bit packages necessary for SNX ; the chroot setup is built to counter some of those behaviours and provide a more secure setup.

Whilst the script supports most of the Linux distributions around as the host OS, it still uses Debian i386 for the chroot "light container".

CShell CheckPoint Java agent needs Java (already in the chroot) and X11 desktop rights. The binary SNX VPN client needs a 32-bits environment. The SNX binary, the CShell agent/daemon (and Java) install and run under chrooted Debian. The Linux host runs Firefox (or another browser).

resolv.conf, VPN IP address, routes and X11 "rights" "bleed" from the chroot directories and kernel shared with the host to the host Linux OS.

The Mobile Access Portal Agent, unlike the ordinary cshell_install.sh official setup, runs with its own non-privileged user which is different than the logged in user. In addition, instead of adding the localhost self-signed Agent certificate to a user personal profile as the official setup does, this script install a server-wide global Firefox policy file instead when possible. Notably when Firefox is a snap, or the distribution already has a default Firefox policy file, a new policy won't be installed.

As long the version of the Debian/RedHat/SUSE/Arch distribution is not at the EOL stage, chances are very high the script will run successfully. Void, Gentoo, Slackware, Deepin,NuTyx,Pisi/Kwort and KaOS variants are not so thoroughly tested. Have a look near the end of this document, for the more than 110 recent versions/distributions successfully tested.

(*) It is of no use opening issues with the CShell/SNX scripts failing to installs in your normal OS shell/outside the chroot environment. The whole point of this script is automagically installing and providing an alternative environment able to run them and getting in sync with the host OS.

Moreover, the author acknowledges that Linux has the capability to establish a connection to a FW/1 VPN through IPSEC. However, it's important to note that this configuration is not commonly implemented in the majority of corporate or educational setups. It typically requires a more technically proficient end user to navigate and set up.

For the stable release, download rpm or deb file from the last release.

• First time installing, run it as:

    vpn.sh -i --vpn=FQDN_DNS_name_of_VPN
  

• accept localhost certificate in brower if not Firefox or if Firefox is a snap

  https://localhost:14186/id

• visit web VPN page aka Mobile Access Portal for logging in

• To launch it any time after installation or a reboot

    vpn.sh start
  

• the script tries to launch itself upon user xorg login via XDG. To have an automatic launch, if vpn.sh was installed via rpm or deb, add to /etc/sudoers

    your_user ALL=(ALL:ALL) NOPASSWD: /usr/bin/vpn.sh
  

• Whilst it is recommended having Firefox already installed, for deploying via this script a Firefox policy for automagically accepting the self-signed Mobile Access Portal Agent X.509 certificate, if it is not present a already a policy, you can install a Firefox policy any time doing:

    vpn.sh policy
  

• If /opt/etc/vpn.conf is present the above script settings will be ignored. vpn.conf is created upon first installation. Thus, for reinstalling, you can run:

    vpn.sh -i
  

• For delivering the script to other users, you can fill up VPN and VPNIP variables at the beginning of the script. They can then install it as:

    vpn.sh -i
  

• For opening issues, please provide de output debug information, adding -d to your command line:

    vpn.sh -d
  

• Depending on how much of the chroot is installed, also seeing logs can be useful, as in:

    vpn.sh logs
  

vpn.sh [-l][-f FILE][-c DIR|--chroot=DIR][--proxy=proxy_string][--vpn=FQDN] -i|--install

vpn.sh [-f FILE][-o FILE|--output=FILE][-c|--chroot=DIR] start|stop|restart|status

vpn.sh [-f FILE][-c DIR|--chroot=DIR] [uninstall|rmchroot]

vpn.sh [-f FILE][-o FILE|--output=FILE] disconnect|split|selfupdate|fixdns

vpn.sh -h|--help

vpn.sh -v|--version

For debugging/maintenance:

vpn.sh -d|--debug vpn.sh sudoers vpn.sh [-c DIR|--chroot=DIR] shell|upgrade

vpn.sh shell

This script can be downloaded running:

• git clone https://github.com/ruyrybeyro/chrootvpn/blob/main/vpn.sh
• wget https://raw.githubusercontent.com/ruyrybeyro/chrootvpn/main/vpn.sh
• curl https://raw.githubusercontent.com/ruyrybeyro/chrootvpn/main/vpn.sh -O

• The Web page of Mobile access portal has to open in a browser and allow login with or without this script/SNX/CShell installed;

• The user installing/running the script has to got sudo rights (for root);

• For the CShell daemon to start automatically upon the user XDG login, the user must be able to sudo /usr/bin/vpn.sh or /usr/local/bin/vpn.sh without a password;

• The CShell daemon writes over X11; if VPN is not working when called/installed from a ssh session, or after logging in, start/restart the script using a X11 graphical terminal;

• The script/chroot is not designed to allow automatic remote deploying of new versions of both CShell (or SNX?)-apparently this functionality is not supported for Linux clients. If the status command of this script shows CShell or SNX new versions remotely, uninstall, and install the chroot setup again;

• For (re)installing newer versions of SNX/CShell delete the chroot with vpn.sh uninstall and vpn -i again; after the configurations are saved in /opt/etc/vpn.conf, vpn -i is enough;

• The CShell daemon runs with a separate non-privileged user, and not using the logged in user;

• if using Firefox, is advised to have it installed before running this script;

• if Firefox is reinstalled, better uninstall and (re)install vpn.sh, for the certificate policy file to be (re)deployed, or run:

    vpn.sh policy
  

• if TZ is not set before the script or edited, default time is TZ='Europe/Lisbon';

• if having issues connecting to VPN after first installation/OS upgrade, reboot;

• if having DNS issues in Debian/Ubuntu/Parrot right at the start of the install, reboot and (re)start installation;

• If after login, the web Mobile Portal is asking to install software, most of the time, either the CShell daemon is not up, or the Firefox policy was not installed or Firefox is a snap. do vpn.sh start and visit https://localhost:14186/id

• Linux rolling releases distributions must be fully up to date before installing any new packages. Bad things can happen and will happen running this script if packages are outdated;

• At least Arch after kernel(?) updates seem to occasionally need a reboot for the VPN to work;

• If having the error "Check Point Deployment Shell internal error" run vpn.sh uninstall and install again with vpn.sh -i

• When installing in Clear Linux, if Error: cannot aquire lock file persists, kill swupd

• CShell runs an https server at localhost:14186, so in a minimalist distribution such as Alpine, you shan't forget to setup the lo interface.

The following screens show actions to be performed after running the script.

1. Accepting localhost certificate in Firefox at https://localhost:14186/id IF a policy not applied or Firefox is installed as a snap. This is done only once in the browser after each chroot (re)installation.

If the certificate is not accepted manually or via a policy installed by vpn.sh, Mobile Portal will complain about lack of installed software, whether CShell and SNX are running or not.

2. Logging in into Mobile Portal VPN. If using a double factor auth PIN, write the regular password followed by the PIN.

Select "Continue sign in" and "Continue" if logged in in other device/software.

First time logging in, select Settings:

And: "automatically" and "Network mode". This only needs to be done ONCE, the first time you login into the Mobile Portal.

Then press Connect to connect to the firewall.

The negotiation of a connection takes a (little) while.

First and each time after reinstalling the chroot/script, "Trust server" has to be selected.

The signature must be accepted too. It will happen several times if there is a cluster solution.

Finally, the connection is established. The user will be disconnected then upon timeout, closing the tab/browser, or pressing Disconnect.

For creating temporarily a split tunnel on the client side, only after the VPN is up:

       vpn.sh split

If the VPN is giving "wrong routes", deleting the default VPN gateway might not be enough, so there is a need to fill in routes in the SPLIT variable, by default at /opt/etc/vpn.conf, or if before installing for the first time, at the beginning of the vpn.sh script.

The SPLIT variable accepts the following directives:

Example: split VPN with Internet access, and private addresses via VPN

• dropping all VPN routes

• adding a route to 10.0.0.0/8 via the VPN

• adding a route to 192.168.0.0/16 via the VPN

• adding a route to 172.16.0.0/12 via the VPN

       SPLIT="flush +10.0.0.0/8 +192.168.0.0/16 +172.16.0.0/12"
  

Example: Deleting default gateway given by the VPN, and adding a new route:

• dropping the VPN default gateway

• adding a route to 10.0.0.0/8 via the VPN

       SPLIT="-0.0.0.0/1 +10.0.0.0/8"
  

Beware of NDAs and policies around manipulating VPN routes.

SSL Network Extender https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65210#Linux%20Supported%20Platforms

How to install SSL Network Extender (SNX) client on Linux machines https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114267

Mobile Access Portal Agent Prerequisites for Linux https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk119772

Mobile Access Portal and Java Compatibility https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113410

Mobile Access Portal Agent for Mozilla Firefox asks to re-install even after it was properly installed https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122576&partition=Advanced&product=Mobile

Unable to connect with SSL Network Extender on Linux machine https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114521

Check Point Remote Access Solutions - Gateway-Based Access https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk67820

Remote Access FAQ covering IPSec and HTTPS portal based VPN solutions (needs a CheckPoint login) https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.SearchResultMainAction&eventSubmit_doGoviewsolutiondetails=&solutionid=sk166032

see also Unix SE post: VPN SSL Network Extender in Firefox https://unix.stackexchange.com/questions/450131/vpn-ssl-network-extender-in-firefox

Tested with:

The default for the chroot is Debian 12 i386.

with the following Linux x86_64 hosts:

(1) - implementation for advanced users/VMs

(2) - no /etc/resolv.conf from VPN